Passage of the CLOUD Act in the U.S. and the subsequent dismissal of the “Ireland Warrant” litigation raises two important questions. First, does the law grant sweeping new powers to reach data stored abroad? The reality is that it does not because governments have long claimed such authority. Second, does the CLOUD Act, along with the proposed eEvidence Regulation in the EU, offer hope of a future where the rules for cross-border data demands are more rational, proportionate, predictable, and transparent? There is more work needed to ensure that these policies function effectively for law enforcement while protecting civil liberties. But we certainly hope so. In order to advance the conversation, Cisco commits to updating our transparency report to reflect more information about the nature and number of cross-border demands we receive for customer data.
On the first question about whether the CLOUD Act makes U.S. law more sweeping in its reach, we believe the answer is no, for three reasons.
- First, except for the period while Microsoft’s case was pending, U.S. courts have for decades held that the government may demand data in the custody or control of any person or entity subject to its jurisdiction — regardless of where those records are stored. Along with Microsoft and many other leading technology companies, Cisco asked the U.S. Supreme Court to limit the government’s ability to demand contents of communications from third-parties when stored abroad. While we still believe that would have been a favorable outcome, passage of the new law simply clarified that the authority challenged by Microsoft remained in place.
- Second, there is nothing specific in either the language of the CLOUD Act or the leading decisions preceding its passage treating U.S. companies differently than companies headquartered abroad. U.S. courts have long held that any organization validly served with compulsory process by the government has to retrieve data within its custody or control. This is true for any company doing business in the U.S. — foreign or domestic. The governing law before the “Ireland Warrant” case actually stems from litigation between the U.S. government and the Bank of Nova Scotia in the 1980s. As the bank’s name suggests, the case did not involve a U.S. company at all. The government demanded bank records from a Canadian bank that were stored in Caribbean nations based on compulsory process served at an American branch. The logic of that case would similarly enable the U.S. government to demand records of data stored abroad in the hands of any entity — provided only that the corporation served is subject to personal jurisdiction in U.S. courts due to its business contacts in the country. That is to say, any company doing business in the U.S. is subject to the same laws when it comes to the rules regulating government access to customer data.
- Third, the language in the CLOUD Act, and the case law that preceded it does not make the U.S. in any way unique. It is increasingly common for governments around the world to assert that they can reach across borders to demand data necessary to enforce criminal laws. For example, Brazilian authorities temporarily shut down access to Facebook’s WhatsApp service during a highly publicized dispute over that government’s ability to demand access to encrypted messages. And in the EU, the draft eEvidence Regulation will allow judicial authorities to ask for electronic evidence directly from a provider offering services in the EU, regardless of the location of data.
This debate highlights the possibility that companies may find themselves in the untenable position of being required under one country’s laws to produce data — and prohibited from doing so by the laws of another. In the U.S., the Department of Justice long ago adopted a policy requiring that federal prosecutors coordinate with headquarters before issuing so-called “Bank of Nova Scotia” demands. However, Cisco firmly believes that governments around the worldshould go further and spell out the specific criteria upon which a cross-border demand will be premised, how such determinations are made, who has the authority to authorize them, and how often such approvals occur.
This brings us to the second major point — we hope that these new laws and regulations will lend clarity, predictability, and rationality to requirements for cross-border data demands between like-minded governments. To the extent authorities around the world spell out the circumstances under which they will directly compel providers to produce data stored beyond their borders, it is essential that they also address the potential conflicts of law with third countries. This should include adopting meaningful safeguards for fundamental rights of individuals, which will benefit from more transparency around cross-border demands for data.
We also believe that transparency is a two-way street. Cisco publishes a transparency report where we provide aggregate data about the nature and types of law enforcement demands we receive seeking customer data. Given recent changes in the law adopted in the U.S., and pending in the EU, Cisco will update our transparency reporting accordingly. We commit on a going-forward basis to track and report cross-border demands for data in our transparency report found at trust.cisco.com.
There is a role for each of us — governments, technology providers, and customers — in balancing the needs of enterprise data security with the need to support law enforcement efforts aimed at fighting crime. At Cisco, we are doing our part by evolving the scope of our transparency reporting. Governments need to step up by rationalizing their systems for cross-border data demands. Customers should look for providers that deliver transparency around their processes and also demand more clarity and coordination from governments about their policies for cross-border data demands.
For more information, visit trust.cisco.com.